On Tue, Mar 07, 2017 at 01:18:36PM +0100, Pavel Březina wrote:
On 03/07/2017 01:16 PM, Pavel Březina wrote:
On 03/06/2017 02:49 PM, Jakub Hrozek wrote:
Hi,
I prepared a design page for a new feature about fetching and authenticating non-POSIX users: https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html
For your convenience, I'm also copying the .rst text below:
Support for non-POSIX users and groups
Related ticket(s):
https://pagure.io/SSSD/sssd/issue/3310I find this document quite hard to understand, so I want to ensure I get it right:
- You can't have one domain that return both posix and non-posix users.
- PAM is allowed to login a non-posix users for given services.
- If CACHE_REQ_APP is used, non-posix domains are searched first then
posix domains. 4) If CACHE_REQ_POSIX is used, non-posix domains are skipped. 5) Non-posix domains require fully qualified name. 6) Posix users return only posix groups membership. 7) Non-posix users return both posix and non-posix membership.
And 8) You can have two users, one posix, one non-posix with the same name.
In theory yes, but I don't think this would be too common. In general you could have two entries, one with objectclass user, the other with objectclass posixUser where each domain would use a different attribute for the username. But even so, I think the current scheme would protect us against these strange setups.